When you read reports about cyber-attacks affecting operational technology (OT), it’s easy to get caught up in the hype and assume every single one is sophisticated. But are OT environments all over the world really besieged by a constant barrage of complex cyber-attacks? Answering that would require breaking down the different types of OT cyber-attacks and then looking back on all the historical attacks to see how those types compare.
Over the past few decades, there has been a growing awareness of the need for improved cybersecurity practices in IT’s lesser-known counterpart, OT. In fact, the lines of what constitutes a cyber-attack on OT have never been well defined, and if anything, they have further blurred over time. Therefore, we’d like to begin this post with a discussion around the ways in which cyber-attacks can either target or just simply impact OT, and why it might be important for us to make the distinction going forward.
Before we define any type of OT cyber-attack, we need to define what we’re considering as OT. Most OT environments are unique due to several factors, such as the different applications and use cases, the numerous vendor ecosystems, and the simple fact that there are multiple ways to engineer a physical process, to name a few. Because of this, it helps to turn to the Purdue Enterprise Reference Architecture (PERA), commonly known as the Purdue Model, depicted in Figure 1.
From the top, it begins by outlining levels 4 and 5 as the Enterprise Zone, where traditional IT is encountered. Next is level 3.5, the Demilitarized Zone (DMZ), which acts as a separator between IT and OT and, therefore, the OT’s perimeter. The remaining levels below the DMZ are all OT. Levels 2 and 3 are similar in that they both may monitor, control, and even configure the physical environment. However, level 2 is typically specific to a single cell or process and perhaps even physically close, whereas level 3 is generally centralized, particularly in geographically dispersed organizations. Level 1 is the heart of OT, where devices such as programmable logic controllers (PLCs) will sense and actuate the physical world according to the logic they have been provided. Finally, we reach level 0, which, for all intents and purposes, is the physical world and contains the sensors and actuators that the PLCs use to manipulate it.
The newly released Security Navigator 2024 offers critical insights into current digital threats, documenting 129,395 incidents and 25,076 confirmed breaches. More than just a report, it serves as a guide to navigating a safer digital landscape.
Stay one step ahead in cybersecurity. Your essential guide awaits!
🔗 Get Your Copy Now
The different types of OT cyber-attacks aren’t necessarily defined by the assets that they impact but rather by the assets that they target and how they are targeted. More specifically, the precision, skillset, and intent with which they are targeted. While that distinction may sound pedantic, it changes the threat landscape that defenders need to consider and makes it challenging for traditional IT controls to keep up. There are 5 types of OT cyber-attacks that can be grouped into two distinct categories; let’s explore them.
The first category of cyber-attacks endured by OT is the most frequent in public reports. They are characterized by the use of only IT tactics, techniques, and procedures (TTPs) but still manage to affect production in some way. There are 3 types of OT cyber-attack in this first category.
The first type, 1a, occurs when the OT environment isn’t even reached by an adversary. So, as far as the adversary is concerned, their attack does not target the victim’s OT. Instead, there are cascading impacts from an uncontained IT cyber-attack, such as cyber extortion (Cy-X) delaying shipping systems that require production to stop. The OT impacts of this can range from a temporary loss of telemetry all the way to a complete loss of production and a complex, time-consuming process to bring it back online. It is important to note that every IT cyber-attack type may also result in a disconnect or shutdown of the OT environment as part of the response and recovery efforts, which would ultimately cause similar effects.
The second type, 1b, is when the OT is reached by an adversary either by accident or just because they could. Still conducting IT TTPs, the adversary may deploy ransomware or exfiltrate data for double extortion. However, perhaps due to a weak or non-existent DMZ, the adversary’s attack may extend to some OT assets in levels 2 or 3 of the Purdue Model. The affected OT assets may include devices such as engineering workstations, Windows-based human-machine interfaces (HMIs), and other IT-based technology. Although the adversary has managed to directly affect OT assets, the targeting is generally not deliberate. The impact of this attack type may include loss of configurability or even control of the OT environment.
The third type in this category, 1c, is the most nuanced and the closest in nature to the next category. Here, an adversary with little to no OT capability may deliberately target the Windows-based OT assets of an organization with IT TTPs. This may be to trigger more of a response from the victim or to cause a more serious impact than from just affecting IT. This attack type may deliberately target OT assets, but only those with which an IT-focused adversary would be familiar. There is otherwise no OT-specific intent or utilization in such an attack, nor is there any precision in the way production is impacted. As with type 1b, the impact of this type of attack may include loss of configurability or control of the OT environment, and production is only likely to be affected by cascading effects or response and recovery efforts.
The second category includes the two types that likely spring to mind whenever OT cyber-attacks are mentioned. These are characterized by the inclusion of OT-specific TTPs and have the primary intention of directly affecting production in some way.
The overall fourth type and first of the second category, 2a, is sometimes known as the ‘nuisance attack’. This type of cyber-attack is predicated on the adversary reaching the OT, regardless of DMZ. It leverages rudimentary OT-specific knowledge and TTPs, but in a blunt fashion with little precision or complexity. Rather than just disrupting Windows-based assets such as in category 1 attacks, it may target OT assets in deeper levels of the Purdue Model, closer to the physical process, such as PLCs and remote telemetry units (RTUs). The OT-specific techniques leveraged are crude and frequently use publicly known exploitation frameworks and tooling. The impact of this type of OT cyber-attack generally will involve stopping PLCs cycling or imprecisely changing PLC outputs. This will undoubtedly affect production, but such blunt attacks are often overt and trigger a swift response and recovery effort.
The final type, 2b, is the most advanced but also most rarely observed. By exercising advanced OT capability, these cyber-attacks are precise and complex in both their execution and impact. They involve extensive process comprehension, an OT-specific tactic of gathering information to understand the physical environment and how the OT interacts with it. Adversaries craft an attack that is bespoke for the OT environment they have gained a foothold in and affect it in a very deliberate way. The possible impacts caused by this type of OT cyber-attack are near limitless but depend highly on the process under consideration. It is unlikely the impacts would be overt or simple, such as stopping the process, unless it was in an extreme and permanent way. Instead, the intended impacts are more likely to involve, for example, stealthily degrading the process or exfiltrating details of it to replicate it elsewhere.
It appears there is a skew towards category 1 attacks (as we pointed out earlier in this blog), which might be saving us from the much-vaunted OT apocalypse. Many current OT cyber security controls and concepts are borrowed from IT, and as such, they are better at detecting and preventing category 1 attacks. However, as access to knowledge and equipment grows and as adversaries build up better capabilities to specifically target OT, there’s a real possibility that we’ll see a growing number of category 2 attacks. Developing the relevant OT cyber security controls to detect and prevent them is the first step in preparing for that. To do this, we need to distinguish the categories and types of attacks to better understand how and when those category 2 attacks are on the rise.
The types of OT cyber-attacks that we’ve defined and the reasons why they are important all rely on some bold claims. So, rather than expect you to take our word for it, we thought we’d put them to the test. To do this, we’ve collected and analyzed every publicly reported OT cyber-attack we could find from 1988 to 2023. Below is an excerpt from our analysis; the full version and transparent methodology can be found in the Security Navigator 2024.
The most notable aspect of the 35 years of OT cyber-attacks was the surge of attacks perpetrated by cyber criminals beginning in 2020. This surge is in line with the advent of double extortion and therefore conforms with our Cy-X data.
The rise of double extortion didn’t just change the overall types of adversaries attacking OT; it also changed the victim sectors affected. When we break down the victim sectors by year, we also see a significant shift from a diverse range of sectors to being heavily manufacturing-focused. However, given that Cy-X tends to favor targeting manufacturing, this makes sense.
Figure 3 shows us the flows of OT cyber-attacks. The year of an attack, grouped into 5-year bins for clarity, flows from the left into the adversary that conducted the attack. The attack flow continues from the adversary to the category of OT cyber-attack, through to the type. Finally, the type of attack flows into a representation of the deepest level of the Purdue Model the attack reached in terms of targeting (it may have impacted the OT completely, even from Level 5).
The immediate takeaway from this visualisation is the drastic increase in attack frequency in 2020, which overwhelmingly saw criminals committing IT TTPs against IT targets, resolving at levels 4 and 5 of the Purdue Model. This reinforces the two narratives we described occurring before and after the advent of double extortion in 2020.
Delving into a deeper analysis of the categories and types, it becomes clear that a significantly larger number of cyber-attacks that cause OT impact are category 1 and use only IT TTPs at 83% of the total. This is bolstered by the large representation of type 1a attacks at 60% of the total, which specifically target the IT, meaning levels 4 and 5 of the Purdue Model. By comparison, attacks that included the use of OT TTPs were poorly represented at 17% of the total.
So, where do we go from here? What will the future hold? Are OT cyber-attacks all just IT TTPs on IT targets and circumstantial OT impact? Or might we see the relentless onslaught from criminals turn towards category 2 attacks for greater brutality?
Regardless of organizations that use OT, the current type 1a Cy-X attacks appear to be relatively lucrative for criminals, and the veritable pandemic may get worse before it gets better. However, if organizations begin to build up resilience to contemporary Cy-X attacks, whether that is through good backup processes or otherwise, it is logical that criminal modus operandi (MO) will change. Given the prevalence of OT-using organizations as Cy-X victims, could we see that change in MO be towards category 2 OT cyber-attacks? Fortunately, to facilitate a discussion around that question, we can turn to routine activity theory (RAT).
RAT is a criminological theory that states a crime will be likely to take place given three elements are present: a motivated offender, a suitable target, and the absence of a capable guardian. Here we’ll provide a brief discussion on each point based on what we have seen so far.
As can be seen from the OT cyber-attack data we have presented here, for whatever reason, criminals currently have a penchant for organizations that happen to use OT. What’s more, the way current Cy-X attacks heedlessly affect their victims’ OT environments makes it clear that criminals are not concerned about physical consequences. Either that, or they are possibly even intentionally causing threats to safety. Lastly, if we see ransom payments for IT-focused Cy-X decline, that will likely pressure criminals into changing their MO to something for which their victims are less defensively prepared.
Criminals may already be specifically targeting organizations that use OT because they see the effect of impacting production as valuable. If existing methods for doing this, such as type 1a Cy-X attacks, decline in reliability, criminals may seek to target the OT directly instead. In our data, 40% of all OT cyber-attacks and 16% of those conducted by criminals managed to reach the operational technology to affect it. These were type 1b, 1c, 2a, or 2b OT cyber-attacks. Adversaries and, to a lesser extent, criminals are already accessing OT environments. Should they require access to deliberately target the OT, it isn’t inconceivable that criminals would be able to achieve it.
One major consideration regarding whether OT is a suitable target is its unfamiliar context to most criminals. However, while they would need to develop technical capability, there is a growing base of OT cyber security knowledge in the form of courses, books, talks, and even dedicated conferences from which they could learn. Moreover, OT devices such as PLCs and HMIs are becoming less prohibitively expensive for learning and eventual attack testing. All of this culminates in lowering barriers to entry from a technical perspective.
The most fundamental point of this component is the suitability of the victim organisation itself. This suitability includes a large attack surface, available time for the adversary to conduct the attack, and the value specific assets may have to the victim. As we can see in historical Cy-X attacks, adversaries are already finding plenty of vulnerabilities to exploit in their victims and clearly do not often encounter what would be described as best practice cyber security.
The uptime and efficiency of an OT environment is often well quantified, meaning the value of OT impact is likely not as nebulous as encrypted or leaked data. This all presents a clearly suitable target in OT-using organizations.
Absence of a capable guardian
If criminals consider moving away from conducting category 1 Cy-X with IT TTPs, it will primarily be in response to effective guardianship from IT cyber security controls. Therefore, they may move to exploit the challenge encountered in defending against OT TTPs caused by a lack of available controls that are specifically made for OT.
Technical security controls are not the only form of capable guardian, of course. RAT considers other forms of guardianship, such as informal (community) and formal guardianship. The latter, formal guardianship, implies efforts made by law enforcement and governments. Ultimately, OT will face the same challenges in disrupting the criminal ecosystem and so the absence of a capable guardian, or its effectiveness in disrupting crime, is a realistic outlook.
While we’ve been considering whether there may be a shift to criminals targeting OT with category 2 cyber-attacks, we’ve been working on some interesting, speculative research. It has culminated in a novel and pragmatic Cy-X technique specifically targeted against OT devices; in particular, PLCs and their accompanying engineering workstations. We call it Dead Man’s PLC.
Dead Man’s PLC starts at the engineering workstation, the asset where engineers will create configurations and load them onto PLCs across the OT environment. As we’ve seen, there is no shortage of OT cyber-attacks reaching the depths of the Purdue Model where engineering workstations may reside – generally levels 2 or 3 depending on numerous factors.
When the criminal is on the engineering workstation, they can view existing ‘live’ PLC code in their project files, edit them, and download new configurations to the PLCs. Dead Man’s PLC takes advantage of this capability, as well as existing OT functionality and seldom-used security controls, to hold the victim’s entire operational process and, by proxy, the physical world to ransom.
Dead Man’s PLC works by adding to the legitimate, operational PLC code to create a covert monitoring network, whereby all the PLCs remain functional but are constantly polling one another. If the polling network detects any attempt from the victim to respond to the attack, or the victim does not pay their ransom in time, polling will cease, and Dead Man’s PLC will trigger akin to a Dead Man’s switch and detonate. Detonation involves deactivating the legitimate PLC code, which is responsible for the control and automation of the operational process, and activation of malicious code that causes physical damage to operational devices. This leaves the victim with no realistic option but to pay their ransom; their only other alternative recovery method is to gracelessly shut down and replace every affected PLC in their operational process, which will cost them lost production time, damaged goods, and the cost of new assets.
If you’d like to read more about Dead Man’s PLC and how it works, its dedicated research paper on this topic.
This analysis has explored the history of OT cyber-attacks to understand the changing landscape and what we may face in the imminent future. The recent data from 2020 onwards, when split into its categories and types, shows that we shouldn’t believe the hype of OT cyber-attacks. Instead, we should be focusing on tackling the Cy-X issue itself in the short term. This means building operational resilience and confidence in our OT to withstand attacks on Levels 4 and 5 of the Purdue Model. We are, however, aware that is easier said than done.
It wouldn’t be prudent to outright declare that criminals are going to begin attacking OT with novel Cy-X techniques in response to less reliable ransom payments either.
However, it also wouldn’t be prudent to say this is never going to happen. At the risk of sitting on the fence, we’ll say that there is a genuine possibility that we may see Cy-X evolve to target OT-specific assets, it may just take a particularly innovative Cy-X group to do so.
This is just an abridged version of one of the stories found in the Security Navigator. Other exciting research, like a study of Hacktivism and an analysis of the surge in Cyber Extortion (as well as a ton of other interesting research topics), can be found there as well. It’s free of charge, so have a look. It’s worth it!
Note: This informative piece has been expertly crafted and contributed by Dr. Ric Derbyshire, Senior Security Researcher, Orange Cyberdefense.